The course is part of this learning path
This course focuses on API Security and explains the kinds of vulnerabilities that we can find inside APIs, how to exploit them, and how to secure them as well. These skills will allow you to obtain bug bounties from vulnerabilities and also protect your own APIs as well.
Hi, welcome to the last challenge. Now we're going to finish this up and also have our closure in this lecture. As you can see in the API10, it says that nothing has been logged or monitored, you called us. And over here we have a get flag endpoint. I believe this is a simple one. He says that I'm not kidding. So let's go to API9. Of course, let's disable this intercept. And I believe we can close this down. Okay. And here you go. Now, if I go to API10, as you can see I have to turn off the proxy from here as well in order to make this work, because burp-suite was open all the time. Now, if I come over here to get-flag API and just send the request as you can see we get the flag. So, this is a free one. It says that hey, I didn't log and monitor all the requests you have been sending that's on me. So, the idea over here is that the author, the creator of this challenge didn't want us to go through hell in the last API, and also he wanted us to remind that we have to log everything. Like we have to log these requests and responses in order to have a secure, completely secure API. Because I have been hacking all these endpoints so far, right, for the last three hours, and it appears that they didn't even log it in. So, they don't know what the hell was going on. So, I'm going to close everything down. Okay. We are done over here. Now, I hope you have learned about the postman usage, now you can use it fluently, right? Maybe you learned about the Burp-suite a little bit more. And most importantly, I believe you learned about the API security, how to find vulnerabilities in the endpoints and how to make them secure. Now, this is a great way to pen test and earn some bug bounty money. Of course, if you are allowed to do so. And again, maybe you don't get that kind of detailed documentation, maybe you will, but you remember that you can just find the endpoints by just clicking on the website and analyzing it on the Burp-suite or analyzing the mobile application as well using burp-suite using an emulator. Once you get the endpoint, then it's all on you. And don't forget to disable this host from the digital ocean or wherever you have created the server, so that your credit card won't get charged. So far so good. I hope you enjoyed this section. We're going to stop here and continue within the next one.
Atil is an instructor at Bogazici University, where he graduated back in 2010. He is also co-founder of Academy Club, which provides training, and Pera Games, which operates in the mobile gaming industry.